Aadhar malware

Overview

Today we spotted malicious app which appears to be like fake Aadhar mobile app. Aadhar is the identity card provided by Indian Government to the Indian citizen, 12 digit unique-identity number issued to all Indian residents based on their biometric and demographic data. It will be linked to bank accounts, and other basic services like telecom (sim card) services, etc. of the citizen of India. Aadhaar is the world's largest biometric ID system, with over 1.19 billion enrolled members as of 30 Nov 2017.

Data Leak

The recent reports asserted that INR 500 (roughly seven USD) via Paytm and details such as name, address, postal code, photo, phone number, and email were retrieved. But authorities denied that the breach allowed access to millions of Aadhaar cardholders' details, saying the search facility is available for the purpose of grievance redressal to designated personnel. After this news hit in the media, supporters of privacy started questioning the security concerns.

Malicious Aadhar Application

Hash (SHA-256): d1170fa637def71e9fd50fbaf1a6c180edaa07859c09d67654302587ab1e9689

File type: Android apps

File Size: 11931 KB

We started analysis of this sample in our controlled environment. After extracting the ‘classes.dex’ file from the original application, we converted the dex file to the jar file format for understanding the code.

Figure 1 Dex to jar file

When we decompiled the code we got the interesting code to view.

Figure 2 Aadhar class

This application has the code for most of the Aadhar functionalities such as Biometric related items, barcode reader (it’s part of Aadhar card), notification response, OTP response, and resident profile.

Figure 3 Aadhar functionality

Conclusion

Many people in India do not opt anti-malware solutions for their smartphones. More importantly, the user's awareness can combat these kinds of mobile malware. 

Locky ransomware comes with outstanding statement

OVERVIEW

A recent variant of Locky ransomware comes with an outstanding statement as the point of entry. Spam message comes with the subject as the outstanding statement which contains JavaScript file as customer statement.

File Hash (SHA-256): 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd

File Size: 13 KB

We observed the malicious domains contacted by this JavaScript file.

                                  DELIVERY

This malware got distributed via spam mail which contains malicious Javascript file as email statement. Once the victim executed the JavaScript (email statement) file, they will end up in infection. Let us see the malicious domain contacted by the JavaScript file:

Malicious Domain

hxxp://www.vayvonvietcombank24h(.)net/wp-content/plugins/duplicator/installer/77805e1530d.html

hxxp://www.tinhnghenanovienhanlam(.)com/bkw.php?pdah

hxxp://www.tinhnghenanovienhanlam(.)com/bfw.php?xmk

hxxp://www.tindungvietcombank24h(.)com/zg.php?voa

hxxp://www.tinchapvpbank-hn(.)com/zc.php?gtdc

This malicious domain becomes the point of serving Locky ransomware files to the victim machines. Specifically the malicious domain ‘vayvonvietcombank24h(.)net’ downloads the Locky ransomware sample and get executed.

The full malicious url is hxxp://vayvonvietcombank24h(.)net /tOldHSYW?

                                        INFECTION

Figure 1 Downloaded Locky sample

We also observed the variants in the domain extension:

Figure 2 Observed pattern in the malicious domain

Analysis of Locky sample

File Hash (SHA-256): da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c

File Size: 151 KB

We executed the Locky sample in the controlled environment and observed the behavior. It creates runonce entry as follows. 

Figure 3 Registry entry

                                                 ENCRYPTION

Figure 4 Files added after execution (..doc extension added)

A large number of files created and it is the behavior of ransomware file that modifies other files in the system. We found ‘..doc’ extension in all the encrypted files. That read_me.html file is a ransomware note contains details of payment method and tor link. The below snapshot is the details of the readme HTML:

Figure 5 Readme HTML (payment methods)

                                                 Threat Indicator

IOC details:

File Hashes:

SHA 256: da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c

SHA 256: 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd

Malicious domain:

vayvonvietcombank24h(.)net

tinhnghenanovienhanlam(.)com

tindungvietcombank24h(.)com

tinchapvpbank-hn(.)com

TOR Link:

n224ezvhg4sgyamb(.)onion/sup.php

File extension added by this variant of ransomware:

‘..doc’

Registry key:

Key: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"  

Value: "BROWSERUPDATECHECK"

Physical location: %appdata%/<lockysample>

                                   Conclusion

We recommend the users to apply the IOC details to block the infection. In this case, malicious JavaScript file comes as statement distributed via email campaign. We recommend the users to be more cautious on attachments from unknown users. Updated anti-malware with anti-ransomware modules for combat the ransomware attacks.